[Zope] dynamically created tablename in ZSQL
Casey Duncan
casey@zope.com
Fri, 5 Jul 2002 09:49:09 -0400
On Friday 05 July 2002 07:55 am, Roger Erens wrote:
> Hello all,
>=20
> I would like to choose via a formfield (called 'tablename') which table
> ('employers' or 'employees') is going to be queried.
>=20
> I use in my ZSQL Method the following:
> select * from <dtml-var tablename>
> because
> select * from <dtml-sqlvar tablename type=3Dstring>
> results in e.g.
> select * from 'employees'
> which results in an sql error because of the quotes.
>=20
> Any advice with respect to the safety of using the dtml-var, i.e. could=
the
> formfield 'tablename' be fiddled with to contain something like 'employ=
ees;
> delete from employees'?
>=20
> Is there an alternative solution to get rid of the quotes in the
> dtml-sqlvar?
>=20
>=20
> best regards,
> Roger Erens
If you use <dtml-var> in a Z SQL method be sure to use the sql_quote opti=
on so=20
that characters like ";" and "'" are properly escaped ie:
SELECT * FROM <dtml-var tablename sql_quote>
hth,
-Casey